Static Program Analysis using Abstract Interpretation

Size: px

Start display at page:

Download "Static Program Analysis using Abstract Interpretation"

Lydia Quinn
5 years ago
Views:

1 Static Program Analysis using Abstract Interpretation

2 Introduction

3 Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible execution paths of the program. Static program analysis is not Testing: manually checking a property for some execution paths Model checking: automatically checking a property for all execution paths

4 Program Analysis for what? Optimizing compilers Semantic preprocessing: Model checking Automated test generation Program verification

5 Program Verification Check that every operation of a program will never cause an error (division by zero, buffer overrun, deadlock, etc.) Example: int a[1000]; for (i = 0; i < 1000; i++) { safe operation a[i] = ; // 0 <= i <= 999 } buffer overrun a[i] = ; // i = 1000;

6 Incompleteness of Program Analysis Discovering a sufficient set of properties for checking every operation of a program is an undecidable problem! Every non trivial behavioral property has (at least) NP complexity False positives: operations that are safe in reality but which cannot be decided safe or unsafe from the properties inferred by static analysis.

7 Precision versus Efficiency Precision: number of program operations that can be decided safe or unsafe by an analyzer. Precision and computational complexity are strongly related Tradeoff precision/efficiency: limit in the average precision and scalability of a given analyzer Greater precision and scalability is achieved through specialization

8 Soundness What guarantees the soundness of the analyzer results? In dataflow analysis and type inference the soundness proof of the resolution algorithm is independent from the analysis specification An independent soundness proof precludes the use of test-and-try techniques Need for analyzers correct by construction

9 Abstract Interpretation A general methodology for designing static program analyzers that are: Correct by construction Generic Easy to fine-tune Scalability is difficult to achieve but the payoff is worth the effort!

10 Approximation The core idea of Abstract Interpretation is the formalization of the notion of approximation An approximation of memory configurations is first defined Then the approximation of all atomic operations The approximation is automatically lifted to the whole program structure

11 Overview of Abstract Interpretation Start with a formal specification of the program semantics (the concrete semantics) Construct abstract semantic equations w.r.t. a parametric approximation scheme Use general fixpoints algorithms to solve the abstract semantic equations Try-and-test various instantiations of the approximation scheme in order to find the best fit

12 The Methodology of Abstract Interpretation

13 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

14 Lattices and Fixpoints A lattice (L,,,,, ) is a partially ordered set (L, ) with: Least upper bounds ( ) and greatest lower bounds ( ) operators A least element bottom : A greatest element top : L is complete if all least upper bounds exist A fixpoint X of F: L L satisfies F(X) = X We denote by lfp F the least fixpoint if it exists

15 Fixpoint Theorems Knaster-Tarski theorem: If F: L L is monotone and L is a complete lattice, the set of fixpoints of F is also a complete lattice. Kleene theorem: If F: L L is monotone, L is a complete lattice and F preserves all least upper bounds then lfp F is the limit of the sequence: F 0 = F n+1 = F (F n )

16 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

17 Concrete Semantics Small-step operational semantics: ( s = program point, env s s' Example: 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit 1, n n 0 n 0 n 1 n 1 n 1000 Undefined value

18 Control Flow Graph 1: n = 0; n = 0 1 2: while n < 1000 do n n < : n = n + 1; 4: end 3 4 n = n + 1 5: exit 5

19 Transition Relation Control flow graph: i op j Operational semantics: i, ε j, op ε Semantics of op

20 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

21 Collecting Semantics The collecting semantics is the set of observable behaviours in the operational semantics. It is the starting point of any analysis design. The set of all descendants of the initial state The set of all descendants of the initial state that can reach a final state The set of all finite traces from the initial state The set of all finite and infinite traces from the initial state etc.

22 Which Collecting Semantics? Buffer overrun, division by zero, arithmetic overflows: state properties Deadlocks, un-initialized variables: finite trace properties Loop termination: finite and infinite trace properties

23 State properties The set of descendants of the initial state s 0 : S = {s s 0 s} Theorem: F : ( ( ), ) ( ( ), ) F (S) = {s 0 } s' s S: s s' S = lfp F

24 Example 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit S = { 1, n n 0 n 0 n 1 n 1 n 1000 }

25 Computation F0 = F1 = { 1,n Ω } F2 = { 1,n Ω, 2,n 0 } F3 = { 1,n Ω, 2,n 0, 3,n 0 } F4 = { 1,n Ω, 2,n 0, 3,n 0, 4,n 1 }...

26 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

27 Partitioning We partition the set S of states w.r.t. program points: Σ = Σ 1 Σ 2... Σ n Σ i = { k, ε Σ k = i } F(S 1,..., S n ) 0 = { s 0 } F(S 1,..., S n ) i = {s' S i j s S j : s s'} i.e. F(S 1,..., S n ) i = { i, op ε j op i CFG (P)}

28 Illustration Σ Σ S 1 Σ 1 1, e 1 1, e 2 i, op ε 1 i, op ε 2 S i S j Σ j j, ε 1 j, ε 2 F Σ i

29 Semantic Equations Notation: E i = set of environments at program point i System of semantic equations: op E i = U { op E j j i CFG (P) } Solution of the system S = lfp F

30 Example 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit E 1 = {n } E 2 = n = 0 E 1 E 4 E 3 = E 2 ]-, 999] E 4 = n = n + 1 E 3 E 5 = E 2 [1000, [

31 Example E 1 = {n } 1: n = 0; E 2 2: = while n = 0 n < E E 4 do 3: n = n + 1; 4: end E5: 3 = Eexit 2 ]-, 999] 1 n = 0 2 n 1000 n < n = n + 1 E 4 = n = n + 1 E 3 4 E 5 = E 2 [1000, [ 5

32 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

33 Approximation Problem: Compute a sound approximation S # of S S S # Solution: Galois connections

34 Galois Connection L 1, L 2 two lattices Abstract domain (L 1, ) (L 2, ) x y : (x) y x (y) x y : x (x) & o (y) y

35 Fixpoint Approximation Abstract computation o F o L 2 L 2 Concrete computation Theorem: L 1 F lfp F (lfp o F o ) L 1

36 Abstracting the Collecting Semantics Find a Galois connection: ( ( ), ) (, ) Find a function: o F o F #

37 Abstract Algebra Notation: E the set of all environments Galois connection: ( (E), ) (E #, ), approximated by, Semantics op approximated by op # o op o op #

38 Abstract Semantic Equations 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end; 5: exit; E 1# = {n }) E 2# = n = 0 # E 1 # E 4 # E 3# = E 2 # ]-, 999]) E 4# = n = n + 1 # E 3 # E 5# = E 2 # [1000, [)

39 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

40 Abstract Domains Various kinds of approximations: Signs (non relational) x +, y -,... Intervals (nonrelational): x [3, 9], y [-23, 4],... Polyhedra (relational): x + y - 2z 10,... Difference-bound matrices (weakly relational): y - x z - y

41 Example: intervals 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit Iteration 1: E 2# = [0, 0] Iteration 2: E 2# = [0, 1] Iteration 3: E 2# = [0, 2] Iteration 4: E 2# = [0, 3]...

42 Problem How to cope with lattices of infinite height? Solution: automatic extrapolation operators

43 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

44 Widening operator Lattice (L, ): L L L Abstract union operator: x y : x x y & y x y Enforces convergence: (x n ) n 0 y 0 = x 0 y n + 1 = y n x n+1 (y n ) n 0 is ultimately stationary

45 Widening of intervals [a, b] [a', b'] If a a' then a else - If b' b then b else + Open unstable bounds (jump over the fixpoint)

46 Widening and Fixpoint fixpoint widening

47 Iteration with widening 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit (E 2# ) n+1 = (E 2# ) n ( n = 0 # (E 1# ) n (E 4# ) n ) Iteration 1 (union): E 2# = [0, 0] Iteration 2 (union): E 2# = [0, 1] Iteration 3 (widening): E 2# = [0, + ] stable

48 Imprecision at loop exit 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: exit; t[n] = 0; // t has 1500 elements E 5# = [1000, [ False positive!!!

49 Narrowing operator Lattice (L, ): L L L Abstract intersection operator: x y : x y x y Enforces convergence: (x n ) n 0 y 0 = x 0 y n + 1 = y n x n+1 (y n ) n 0 is ultimately stationary

50 Narrowing of intervals [a, b] [a', b'] If a = - then a' else a If b = + then b' else b Refines open bounds

51 Narrowing and Fixpoint fixpoint narrowing widening

52 Iteration with narrowing 1: n = 0; 2: while n < 1000 do 3: n = n + 1; 4: end 5: t[n] = 0; (E 2# ) n+1 = (E 2# ) n ( n = 0 # (E 1# ) n (E 4# ) n ) Beginning of iteration: E 2# = [0, [ Iteration 1: E 2# = [0, 1000] stable Consequence: E 5# = [1000, 1000]

53 Methodology Concrete Semantics Tuners Collecting Semantics Abstract Domain Abstract Domain Partitioning Abstract Semantics Iterative Resolution Algorithms

54 Tuning the abstract domains 1: n = 0; 2: k = 0; 3: while n < 1000 do 4: n = n + 1; 5: k = k + 1; 6: end 7: exit Intervals: E 4# = n k [ Convex polyhedra: E 4# = n k n - k = 0

55 Annotated Bibliography

56 References The historic paper: Patrick Cousot & Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages , Los Angeles, California, ACM Press, New York, NY, USA. Accessible introductions to the theory: Patrick Cousot. Semantic foundations of program analysis. In S.S. Muchnick and N.D. Jones, editors, Program Flow Analysis: Theory and Applications, Ch. 10, pages , Prentice-Hall, Inc., Englewood Cliffs, New Jersey, U.S.A., Patrick Cousot & Radhia Cousot. Abstract interpretation and application to logic programs. Journal of Logic Programming, 13(2 3): , Beyond Galois connections, a presentation of relaxed frameworks: Patrick Cousot & Radhia Cousot. Abstract interpretation frameworks. Journal of Logic and Computation, 2(4): , August A thorough description of a static analyzer with all the proofs (difficult to read): Patrick Cousot. The Calculational Design of a Generic Abstract Interpreter. Course notes for the NATO International Summer School 1998 on Calculational System Design. Marktoberdorf, Germany, 28 July 9 august 1998, organized by F.L. Bauer, M. Broy, E.W. Dijkstra, D. Gries and C.A.R. Hoare.

57 References The abstract domain of intervals: Patrick Cousot & Radhia Cousot. Static Determination of Dynamic Properties of Programs. In B. Robinet, editor, Proceedings of the second international symposium on Programming, Paris, France, pages , april , Dunod, Paris. The abstract domain of convex polyhedra: Patrick Cousot & Nicolas Halbwachs. Automatic discovery of linear restraints among variables of a program. In Conference R ecord of the Fifth Annual ACM SIGPLAN- SIGACT Symposium on Principles of Program ming Languages, pages 84 97, Tucson, Arizona, ACM Press, New York, NY, USA. Weakly relational abstract domains: Antoine Miné. The Octagon Abstract Domain. In Analysis, Slicing and Transformation (part of Working Conference on Reverse Engineering), October 2001, IEEE, pages Antoine Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. In Program As Data Objects II, May 2001, LNCS 2053, pages Classical data flow analysis: Steven Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann, 1997.

Discrete Fixpoint Approximation Methods in Program Static Analysis

Discrete Fixpoint Approximation Methods in Program Static Analysis P. Cousot Département de Mathématiques et Informatique École Normale Supérieure Paris